Research by the Norwegian Consumer Council (Forbrukerrådet) shows that many smartphone apps send highly personal data to thousands of advertising partners. The report uncovers how a large number of shadowy entities are receiving personal data about our interests, habits, and behaviour, every time we use certain apps on our phones. This information is used to create comprehensive profiles about us, which can be used for targeted advertising and other purposes.

“These practices are out of control and are rife with privacy violations and breaches of European law. The extent of tracking makes it impossible for us to make informed choices about how our personal data is collected, shared and used. Consequently, this massive commercial surveillance is systematically at odds with our fundamental rights”, says Finn Myrstad, director of digital policy in the Norwegian Consumer Council.

“Every time you open an app like Grindr advertisement networks get your GPS location, device identifiers and even the fact that you use a gay dating app. This is an insane violation of users’ EU privacy rights”, says Max Schrems, founder of the European privacy non-profit noyb

Three Complaints filed with the relevant Data Protection Authority

The Norwegian Consumer Council has filed three formal complaints against the gay/bi dating app Grindr and five adtech companies that were receiving personal data through the app: Twitter`s MoPub, AT&T’s AppNexus, OpenX, AdColony and Smaato. All complaints were filed, in cooperation with noyb, at the Norwegian Data Protection Authority (DPA) because of breaches of the General Data Protection Regulation (GDPR).

While the Norwegian complaints concern a Norwegian Android user, noyb will file similar complaints with the Austrian DPA concerning an Austrian iOS user within the upcoming weeks.

Profiling: Tracking online and on your phone

Many actors in the adtech industry collect information about us from a variety of places, including web browsing, connected devices, and social media. When combined, this data provides a detailed picture of individuals, revealing our daily lives, our secret desires, and our most vulnerable moments.

Ala Krinickytė, lawyer at noyb: “In the case of Grindr, it seems especially problematic, that third parties do not just get the GPS location or device identifiers, but also the information that a person is using a dating app that is described as being ‘exclusively for gay/bi community’. This obviously reveals the sexual orientation of the user.”

What has to be done?

The Norwegian Consumer Council urges companies that rely on digital advertising to look towards alternative solutions to the currently domineering adtech system, such as technologies that do not rely on widespread broadcasting and the collection of personal data.

“The situation is completely out of control. In order to shift the significant power imbalance between consumers and third party companies, the current practices of extensive tracking and profiling have to end”, says Myrstad.

There are very few actions consumers can take to limit or prevent the massive tracking and data sharing that is happening all across the internet. Authorities must take active enforcement measures to protect consumers against the illegal exploitation of personal data.

Acknowledgements

The project was led by the Norwegian Consumer Council

The technical tests were carried out by the security company Mnemonic.

The research on the adtech industry and specific data brokers was performed with assistance from the researcher Wolfie Christl of Cracked Labs.

Additional auditing of the Grindr app was performed by the researcher Zach Edwards of MetaX.

The legal analysis and formal complaints were written with assistance from noyb. noyb is supported by more than 3.000 supporting members and works on strategic litigation to enforce the fundamental right to data protection in practice.

Project

Support us!

Follow us!

Media coverage

Privacy activist Max Schrems called on the European authorities to push the Irish regulator to speed up its handling of cases he has brought against Facebook on the second anniversary of the introduction of rules designed to help protect the data of consumers. Schrems, long a thorn in the side of Facebook, bemoaned the lack of progress since the introduction of the General Data Protection Regulation (GDPR) regime across Europe in 2018.

noyb argues that Facebook uses a strategy of “forced consent” to continue processing individuals’ personal data — when the standard required by EU law is for users to be given a free choice unless consent is strictly necessary for provision of the service.